2022-11-24 Next steps digging into the hardware are more on the software side
From a perspective of security research I only touched the surface of the security research on the Corinex CXWC-HD200-WNeH and the Cab.Link CLS-D4E2WX1 by finding default credentials for telnet. To get a further insight I need to first enumerate the network attack surface completely. What services are running, what programs run those services. The ultimate step would be to build an emulation environment where I can run the programs from the routers under my control and find out about the programs and get a first few steps into reverse engineering. With qemu it is possible to emulate MIPS systems on x86 hardware, so I can build a test environment. It would need some work to get old enough versions of code and kernels to create a compatible environment. The Corinex router mentions compilation in 2012 but with Linux kernel 2.6.21 which was released 25 april 2007. The Cab.Link router mentions compilation in 2013 but uses Linux kernel 2.6.31 which was released 9 september 2009.
2022-11-22 Opening the Cab.Link CLS-D4E2WX1 and getting full access
Read the rest of Opening the Cab.Link CLS-D4E2WX1 and getting full accessAfter getting a good look at the Cab.Link CLS-D4E2WX1 from the outside it was time to void the warranty and open the box. The two screws are hiding under the little rubber feet at the front side and after removing those two screws the case opens with a bit of jiggling. This device has an external 12 volt 1 ampere power supply. Chips found on the board:
I also see an extra board (leftside of the picture, blue) where the u.fl cable to the wifi antenna starts. It has a few larger chips but those have a label over them. I guess one of them must be the CPU because I haven't seen a chip with that function yet. The makers of the Cab.Link CLS-D4E2WX1 were kind enough to include 4 pins labeled J30 (bottom left of the picture) which are a very obvious candidate for being the uart port. Again the process for find GND, TX, RX and Vcc was done and the right pins found. With the board in front and the J30 readable the pins are from left to right TX, RX, GND and 3.3 volt. I name the TX and RX pins from the view of the system, so I see data transmitted on TX and I send data to RX.
- Realtek RTL8306E - 6-port 10/100 mbps ethernet switch controller
- Winbond W9412G6KH-5 - DRAM 128MBIT memory
- Qualcomm QCA7411L-AL3C - Homeplug AV / IEEE 1901 the ethernet over cable interface I guess
2022-11-19 Next hardware to poke around in: Cab.Link CLS-D4E2WX1 router
The earlier Ethernet over Cable modem/router I poked at didn't come alone, from the same source I also got a Cab.Link CLS-D4E2WX1 cable modem/router. Doing a search for it finds actual listings for trying to order them wholesale: Buy Wholesale China 7400-eoc Slave Modem, Separate Tv And Ethernet From One Cable, 4 Ethernet Ports Output & 7400-eoc Slave Modem at USD 127 | Global Sources and Eoc Male Slave 4 Ethernet Port With Wifi - Buy Eoc Esclavo Product on Alibaba.com. Both listings call it an EOC slave. Given the terminology I expected EOC master devices to exist as well and I soon found out those exist and can be pricey. So I'm not going to spend money on this subject, but I may be interested in recycling an EOC master unit. The unit has one external wifi antenna, 4 ethernet ports, external power supply 12V and 9 leds. The cable connection is via 2 female F connectors with one labeled 'Cable' and one labeled 'TV'. I do notice the case has a lot of ventilation holes. On the underside is a label with the manufacturer name, model name, a default equipment management IP 10.10.1.250, a Wireless Network Name 'wifi' and the EOC and Wifi Mac addresses as numbers and barcodes, and the serial number as number and barcode. The unit has four little rubber feet (full LRF support) and two of those are hiding screws to open the unit. On switching the Cab.Link router on I indeed see a wifi network appear with the name 'wifi' which on connecting gives me an IPv4 address in the 192.168.1.x range with the default gateway 192.168.1.1.The Cab.Link router has a web interface listening on port 80. It directly asks for http authorization but using admin/admin for username and password gets me right in. Up until now I haven't found any reference to PLC or EOC in the webinterface. The Cab.Link also has a telnet server running on port 23. It greets me with an OpenWRT banner but the first few attempts at finding username/password do not let me in:$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. WARNING: telnet is a security risk OpenWrt login: admin Password: Login incorrect OpenWrt login: root Password: Login incorrect OpenWrt login:I like the 'telnet is a security risk' warning!
2022-11-18 Current thoughts on hardware hacking
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH with a confirmation from the vendor that this is a device completely out of support. Which confirms the public information I found when I started looking into this device. This was all related to the course in hardware hacking I took and applying the new knowledge. So now I can look back on this experience and think about my future here. Hardware hacking has serious links to my current job as technical security specialist. In my work I regularly have to look at vulnerabilities and assess the chance and impact of misuse of the vulnerability. With hardware hacking I find vulnerabilities by researching hardware. This helps me understand the chance and impact factor of other vulnerabilities. There is also a link to my education: part of that was MTS electronics. I learned how to solder, before SMD components were a thing and I think I got some explanation about switching mode power supplies at the end. As I got into computers I didn't do much with this education but the last years in amateur radio have made me get out the soldering iron again. There is a clear link to my hobby of amateur radio. My interest in amateur radio is linked to wanting to know how things actually work. Hardware hacking is also done with RF signals so I may get into more RF related hardware hacking. My current thought is that I want to continue in this subject. It's given me joy: getting into a device in new and unexpected ways gives joy! I have learned new things. I noticed I need to feed the brain regularly with new information and actually learning something new is much better brainfood than browsing social media. At the same time social media is the way to learn more about this subject and interact with other people interested in this subject. I ended up on /r/hardwarehacking on reddit and already learned from others and shared some of my own insights! There is the thing about RFID/NFC security. I have looked into this in the past, mostly by getting the tools to peek into the MiFare classic cards. I am considering going further with this area of hardware hacking. Prices of hacking tools for this area like the proxmark3 or the flipper zero are above the 'nice to try a few things' level. On the other hand I think I could have loads of fun there, and the overlap with amateur radio is very clear. At the end of this bit of writing: thanks to people who share their hardware hacking experiences on-line! Thanks to Jilles Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal, @Flashback Team on youtube, Make Me Hack on youtube, and Boschko Security for sharing their stories and knowledge.
2022-10-31 I found a vulnerability in the Corinex CXWC-HD200-WNeH and I tried to report it
Somewhere between the digging in the Corinex CXWC-HD200-WNeH I found a vulnerability. A combination of a misconfigured network filter and a default account make it quite easy to get into the device and get full access. I tried to report this vulnerability before publishing about it. Timeline:Read the rest of I found a vulnerability in the Corinex CXWC-HD200-WNeH and I tried to report it
- 24 September 2022 I mailed a general address at Corinex about this
- 29 September 2022 I mailed someone who wrote about Corinex devices in the Netherlands
- 28 October 2022 I tried to contact @CorinexCorp on twitter via a mention
All this got exactly zero response.Update 2022-11-17: @CorinexCorp responded on twitter: Hi Koos. Apologies for a lack of response. Corinex no longer supports CXWC-HD200-WNeH devices. The company exited the consumer market many years ago. Because this device is out-of-support for years now and should not be in use anywhere anymore, I think I've invested enough effort in trying to report this vulnerability to the right people and I can now publish this and close this chapter. On to the actual vulnerability. Like a lot of other vulnerabilities this is a case of multiple things coming together.
2022-10-29 Trying to figure out the Ethernet over Cable in the Corinex CXWC-HD200-WNeH
Another attempt at trying to understand the Ethernet over Cable stuff in the Corinex CXWC-HD200-WNeH that I have been working on. I found this on the device:# /app/plcStatus Socket creation success. Socket binding to vlan1 success. Send success (22). Send success (22). Node type: 01 Ip address: 0.0.0.0 Parent mac: 00:00:00:00:00:00 Up speed: 00 Down speed: 00 Child count: 00 #The use of 'plc' (PowerLine Communications) and the way this works suggests to me this is indeed an ethernet-over-coax device (so no docsis). But I can't figure out where the ethernet-coax bridge is. I thought plcStatus would use some ethernet protocol to communicate with the bridge (just as the devolo dlan tools do) but I can't find any trace of the traffic on the wifi interface.
2022-10-07 Grabbing the firmware from the Corinex CXWC-HD200-WNeH and extracting the root filesystem
My dive into the Corinex CXWC-HD200-WNeH continues. After getting root on the serial console of the Corinex CXWC-HD200-WNeH I ordered similar gear as used in the hardware hacking course to do my own hardware hacking. It arrived this week and today I had some time to play with it. Using the techniques from the course I found the serial console interface again. The CPU board has 4 through-holes, that is a likely candidate. Next step is finding which pin is which using a multimeter. Ground pin has continuity to any other shield. One pin is at 0 volts without continuity to ground: the receive data pin (from the viewpoint of the chip), another pin has a varying voltage near the maximum voltage, this is the transmit data pin (again from the viewpoint of the chip) and the fourth one has the constant maximum voltage, which was 3.3 volts in this case. I switched my USB to serial interface to 3.3 volts and connected the TX on the system to the RX on the serial interface and the RX on the system to the TX on the serial interface. I used Dupont cables to make this connection. With minicom as communications program I opened the right interface: minicom -D /dev/ttyUSB0. After powering the router I got unreadable characters on the screen, I had to adjust the serial port rate. This router has a serial console at 57600 bps, 8 bits, no parity, 1 stopbit. And messages came out:Read the rest of Grabbing the firmware from the Corinex CXWC-HD200-WNeH and extracting the root filesystemU-Boot 1.1.3 (Jan 31 2013 - 17:23:55) Board: Ralink APSoC DRAM: 32 MB relocate_code Pointer at: 81fa8000 flash_protect ON: from 0xBF000000 to 0xBF02435F
2022-09-25 Found a "Corinex CXWC-HD200-WNeH"? Let me know!
Officially the "Corinex CXWC-HD200-WNeH" cable modem is out of support for years and deployments should have migrated to newer solutions. That is the reason I got my hands on one: it was replaced by a docsis-based modem. For as far as I can tell these modems are based on homepna or homeplug, over coax networks (the tools on the router don't tell what kind of standards the coax side uses). I'd like to know if any of these are still used in the wild. If you find this post because you got bored and looked at the underside of the wifi box in your holiday park, get in touch! My e-mail address is at the bottom of this page and I'm on twitter as @khoos.
2022-09-22 Getting further into the Corinex CXWC-HD200-WNeH: I got root!
Read the rest of Getting further into the Corinex CXWC-HD200-WNeH: I got root!This week I was attending a course in hardware hacking: HackLab: Hardware Hacking at the Deloitte office in Den Haag. How to find the right pins to get a commandline on a router-like device was part of this course, and the last day there was an option to Bring Your Own Device, to hack it. So I brought this router as I thought it was an ideal target to get access to it, since on the earlier try I could not get into the webinterface of the Corinex CXWC-HD200-WNeH device.So this time I took out the screwdriver, voided the warranty of the device by breaking the little sticker on the side and opening it. It has a board with the powersupply and cable interface parts. The powersupply is shielded with some plastic. There is a smaller board with the main chip which contains the processor, ram, wifi module. The first task was to find the uart interface which should give a serial console. That's a skill I learned in the hacklab: first find out which pins have continuity to ground with the device switched off. With a simple multimeter which has a beeping continuity meter this is simple. The beep makes it possible to test the device without looking at the meter. After that it's a matter of switching the multimeter to voltage and checking other pins for voltage. Usually there are 4 pins on a uart port: ground which is physically connected to the device ground, receive data and send data and a reference voltage. On measuring the pins the reference voltage will be at the steady maximum voltage, the data transmitting from the device will be varying and the pin where the device expects data will be at 0 volt. Uart ports can be 5 volt, 3.3 volt, 2.5 volt or 1.8 volt in recent devices. 5 and 3.3 volt are the most common. USB serial interfaces that support 5 and 3.3 volt are cheap (3 euro), USB serial interfaces that support all 4 are somewhat more expensive (10 euro). For the Corinex router the voltage is 3.3 Volt. There was a 3.3 Volt ftdi USB to serial interface available, so I was able to access the uart port. I connected to the uart port, used a terminal program and searched for the right serial port settings and ended up at 57600 baud, 8 bits, no parity, 1 stopbit. After looking at all the boot messages I was greeted with a root prompt. No more hacking, just full access. The system boots using the U-Boot bootloader. The system runs linux with a 2.6.21 kernel. I looked around on the filesystem and started looking for the configuration for the webserver hoping to find the username/password. I found this in /flash/config so I could get into that interface as well. I also found it was running a telnet server, but not on the standard port. The port was 32560. Without commands like netstat or ss I had to learn this from /proc/net/tcp. Browsing the iptables listing shows that port 80 is supposed to be allowed and other ports aren't, but 32560 reacts fine. Chip found: Ralink RT3052F processor with embedded ram and flash and with 2.4 GHz wifi and a network switch for 1 gigabit port and 5 100 mbit ports. Things I'd still like to do: copy the entire filesystem to another computer so I can research it and check around the web interface for security issues.
2022-09-17 Looking into the Corinex CXWC-HD200-WNeH
Read the rest of Looking into the Corinex CXWC-HD200-WNeHI have a "Corinex Detachable Wireless-N Cable Access" Corinex CXWC-HD200-WNeH to play with. This has been used for Internet access over TV coax cable in a bungalow park where it has been replaced. So it is some sort of cable modem. According to the source it's not managed network over cable (docsis) but more like ethernet over cable, a relative of ethernet over powerline. Searching a bit finds hempro | JPK consulting which seems to be the next generation and isn't compatible. I also found Docsis, EOC of Moca toegepast in kleine kabeltelevisienetwerken which mentions that Corinex products are ethernet over cable according to the HomePNA (abbreviated HPNA) 3.1 standard. The only mention of these devices are for Dutch bungalow parks or campsites, for example woon op een camping, open wifi. geen internet. The site at corinex.nl just lists why you should stop relying on these devices and replace them with newer technologies that are supported. It's not clear to me whether I can simply set up a network with a bit of coax and another HomePNA coax interface or whether I need some sort of headend. Time to play with the device and see how far I can get!